This note is to thank u for helping in my CEH. I got through the exam about 2 hrs ago with 91/100

I have one advise to all who want to do the CEH. Grab a Test King or similar document. 95% of the questions are there. But dont rely on the answers given by them. Lot of mistakes there. But study each question carefully and find all background information from the web.

If it is a tool, download it run it and experience it. Study all the Snort Logs , NMAP outputs using the questions as the guide.

So by the time u are done though the question list you have gained more than enogh knowladge to pass.

Best of Luck to those who plan to do the exam in the near future and thanks for the guys who gave me hints on areas to concentrate

Can you tell us what EH-Net content helped you? I'd be interested to hear what sections, threads, articles or members were most helpful.

As for brain dumps, I agree with you. Most of the answers are wrong. But if you use the questions as a study guide and a foundation to plot your studies and lab work, that is a better way to go. On the other hand, this also means that you can pass the exam without them, and sometimes being provided the answers (albeit wrong ones) is too tempting for some. So leaving them alone is probably a better way to go.

Now that you have passed the exam, now what? I'm sure you realize this is just the beginning!

I agree with Don. But considering the extent of the tools covered and the size of the syllabus, you just cant cover everything unless you are full time studying. So a brain dump like test king is a excellent guide. And if you can find out the correct answers to the questions there, u are gurenteed to pass.

Anyway there were number of questions on packet dumps. So try to understand them. specially Snort dumps. learn to identify IP flags, ehternet and IP source and destination addresses. Also remember the hex codes for ASCII claractors ,numbers and special charactors like '. ( need this to identify sql injections) . Also remember common port numbers like FTP/Telnet/SSH/SSL/TFTP/SNMP/DNS/Netbios/Keberos/IKE authentication (port 500).

If there are any specific questions, I will try to answer from what ever I know.

don wrote:Can you tell us what EH-Net content helped you? I'd be interested to hear what sections, threads, articles or members were most helpful.

Well the chapter form the CEH: Exam Prep 2 - Technical Foundations of Hacking http://www.ethicalhacker.net/content/view/50/2/was quite useful. Also the thread I started about 2 weeks ago. you, Oyle, and jimbob gave some hints on what to expect on the exams.

don wrote:Now that you have passed the exam, now what? I'm sure you realize this is just the beginning!

Next in line is the two Checkpoint NG certifications. I did CCSA and CCSE for CP2000 about 5 years ago. Need to do it again for the NG.

skel wrote:Next in line is the two Checkpoint NG certifications. I did CCSA and CCSE for CP2000 about 5 years ago. Need to do it again for the NG.

Anybody who has done it here ??

I did the CCSA and CCSE NG with Application Inteligence courses in September 2004, and I passed the CCSA exam (156-210.4) in February 2005. The latest exam is for CCSA NGX which is exam 156-215.

If you're going to be doing the cert, I recommend getting the official courseware, as it covers the material very well and the exam questions are taken from it word for word. Do you work regularly with Check Point products? Do you have any questions?

Perhaps start a new thread as this isn't really CEH related.

Last edited by Negrita on Mon Sep 18, 2006 1:18 am, edited 1 time in total.

CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

Hey skel, you mentioned that the Test King examine prep was filled with errors. Would you say the errors were 10% , 20% or more ? There are several examine preps for the CEH that are available and it might be good if we had reviews of them for CEH candidates. I know Preplogic and Boson offer CEH examine preps, but it seems I have only heard negatives about them so far.

I would think the errors would be around 10%. But which 10% is the big question. Some CEH questions are very ambigous. So even if u search the whole internet u cant get a clear solution.

For Ex look at the following q

An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to match too many signatures hence it cannot reliably be identified:

21 ftp 23 telnet 80 http 443 https

What does this suggest ?

A. This is a Windows Domain Controller B. The host is not firewalled C. The host is not a Linux or Solaris system D. The host is not properly patched

I realy dont know what the answer to this. And I got this in the exam too.

So best is to use the test king as guide and dig for information. So end of the day u will not only pass the exam but have good knowlade on hacking too.

I havent seen preplogic or Bonson Exams, But I read in one Checkpoint forum that one guy got only about 5 questions in the exams from the Bonson Practice test. May be a member who has done Bonson can comment on this.

Kev wrote: Hey skel, you mentioned that the Test King examine prep was filled with errors. Would you say the errors were 10% , 20% or more ? There are several examine preps for the CEH that are available and it might be good if we had reviews of them for CEH candidates. I know Preplogic and Boson offer CEH examine preps, but it seems I have only heard negatives about them so far.

Also Look at this question

Snort has been used to capture packets on the network. On studying the packets, the penetration testerfinds it to be abnormal. If you were the penetration tester, why would you find this abnormal?(Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IPconnection concepts and the ability to read packet signatures from a sniff dumo.)05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1TCP TTL:44 TOS:0x10 ID:242***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400...05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024TCP TTL:44 TOS:0x10 ID:242***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400What is odd about this attack? (Choose the most appropriate statement)A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.B. This is back orifice activity as the scan comes from port 31337.C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid.D. There packets were created by a tool; they were not created by a standard IP stack.

Test king says answer is B. But I think the answer should be D because a valid IP packet cannot have a all FRP flags set. So this has to be a tool.

1. The one I remember has a kerberos port open as well. This was the clue that it was a windows machine.2. 31337 (AKA: Elite) is the port used by Back Orifice. Once you see that, forget about the rest.

1. This attack is obviously a port scan using malformed TCP packets (scaning ports from 1 to 1024)2. Also notice the scans originate form port 31337. 3. The packets are TCP

The BO is known to listen on port 31337. But I doubt that it originates sessions from the listning port. If the destination port was 31337 then the communication is probably BO. So the source port being 31337 could mean thst it is a random port but it just happened to be 31337 in this case.

I can also remember reading somewhere that BO uses UDP (may be I am wrong here).

In addition does BO have plugins to do port scanning? This I dont know. I have not seen a plugin to do this.